[RCU] FYI : RuleID 981248 in modsecurity_crs_41_sql_injection_attacks breaks RC

S.Loewenthal simon at klunky.co.uk
Thu Nov 3 16:17:11 CET 2011


Hi there,

This tripped me up today so thought I shoud add it.

ModSec rule 981248 contained in CRS base rules 
modsecurity_crs_41_sql_injection_attacks will cause RC to break as shown 
below.


[Thu Nov 03 15:57:49 2011] [error] [client 82.173.139.52] ModSecurity: 
Access denied with code 403 (phase 2). Pattern match 
"(?i:(?:@.+=\\\\s*\\\\(\\\\s*select)|(?:\\\\d+\\\\s*x?or|div|like|between|and\\\\s*\\\\d+\\\\s*[\\\\-+])|(?:\\\\/\\\\w+;?\\\\s+(?:having|and|x?or|div|like|between|and|select)\\\\W)|(?:\\\\d\\\\s+group\\\\s+by.+\\\\()|(?:(?:;|#|--)\\\\s*(?:drop|alter))|(?:(?:;|#|--)\\\\s*(?:update|insert)\\\\s 
..." at REQUEST_COOKIES:roundcube_sessid. [file 
"/modsec/modsec-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf"] 
[line "539"] [id "981248"] [msg "Detects chained SQL injection attempts 
1/2"] [data "7or"] [severity "CRITICAL"] [tag "WEB_ATTACK/SQLI"] [tag 
"WEB_ATTACK/ID"] [hostname "webmail.example.com"] [uri "/"] [unique_id 
"TrKr7VjGXw0AABsFSnEAAAAB"]

A work around is to add this to the vhost:
SecRuleRemoveById 981248

BR,
S
-- 
List info: http://lists.roundcube.net/users/
BT/9b404e9e



More information about the users mailing list